Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

HACK ATTACK: 100s of Robo-Calls - how can i stop this?

Discussion in '3CX Phone System - General' started by neotheghost, Dec 12, 2017.

Thread Status:
Not open for further replies.
  1. neotheghost

    Joined:
    Dec 12, 2017
    Messages:
    6
    Likes Received:
    0
    I get calls almost every minute all day long. These calls are not coming from the trunk, but they are direct sip calls with fake caller id's like "test" or "1234567899".
    The robot call is no message on my mailbox, just 14 seconds of silence.

    What can i do to stop those calls? How can i completely block such direct sip calls?

    Here is the log file for such a spam call:

    Code:
    12/10/2017 3:03:05 AM - Currently active calls [none]
    12/10/2017 3:02:42 AM - Leg L:74.3[VMail:00] is terminated: Cause: BYE from local
    12/10/2017 3:02:42 AM - Leg L:74.1[Line:10000<<1234567999] is terminated: Cause: BYE from local
    12/10/2017 3:02:42 AM - [CM503008]: Call(C:74): Call is terminated
    12/10/2017 3:02:42 AM - [CM503021]: Call(C:74): ACK is not received from sip:1234567999@SERVER.IP;transport=UDP
    12/10/2017 3:02:35 AM - Currently active calls - 1: [74]
    12/10/2017 3:02:24 AM - Leg L:74.2[Ivr:HOL] is terminated: Cause: BYE from 127.0.0.1:5483
    12/10/2017 3:02:24 AM - [CM503007]: Call(C:74): VMail:00 has joined, contact <sip:00@127.0.0.1:5483>
    12/10/2017 3:02:24 AM - L:74.3[VMail:00] has joined to L:74.1[Line:10000<<1234567999]
    12/10/2017 3:02:24 AM - [CM505001]: Endpoint VMail:00: Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [3CX Voice Mail Menu] PBX contact: [sip:00@127.0.0.1:5060]
    12/10/2017 3:02:24 AM - [CM503002]: Call(C:74): Alerting VMail:00 by contact <sip:00@127.0.0.1:5483>
    12/10/2017 3:02:24 AM - [CM503025]: Call(C:74): Calling T:VMail:00@[Dev:sip:00@127.0.0.1:5483;rinstance=37e49136a261359a] for L:74.1[Line:10000<<1234567999]
    12/10/2017 3:02:24 AM - [CM503027]: Call(C:74): From: Line:10000<<1234567999 (<sip:1234567999@bm.3cx.at:5060>)  to  T:VMail:00@[Dev:sip:00@127.0.0.1:5483;rinstance=37e49136a261359a]
    12/10/2017 3:02:24 AM - [CM503004]: Call(C:74): Route 1: from L:74.1[Line:10000<<1234567999] to T:VMail:00@[Dev:sip:00@127.0.0.1:5483;rinstance=37e49136a261359a]
    12/10/2017 3:02:24 AM - [Flow] Call(C:74): has built target endpoint: VMail:00 for call from L:74.1[Line:10000<<1234567999]
    12/10/2017 3:02:24 AM - [Flow] Target endpoint for extension is VMail:00
    12/10/2017 3:02:24 AM - [CM503010]: Call(C:74): Making route(s) from Line:10000<<1234567999 to <sip:extension@127.0.0.1:5060>
    12/10/2017 3:02:24 AM - [CM505003]: Provider:[andom tec] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [Z 3.14.38765 rv2.8.3] PBX contact: [sip:ACCOUNT@SERVER.IP:5060]
    12/10/2017 3:02:24 AM - [Flow] Refer: RefTo=<sip:extension@127.0.0.1:5060>; was call from=<sip:HOL@127.0.0.1:5060> to=<sip:1234567999@127.0.0.1:5060>
    12/10/2017 3:02:10 AM - [CM503007]: Call(C:74): Ivr:HOL has joined, contact <sip:HOL@127.0.0.1:5483>
    12/10/2017 3:02:10 AM - [CM503007]: Call(C:74): Line:10000<<1234567999 has joined, contact <sip:ACCOUNT@voip.provider:5060>
    12/10/2017 3:02:10 AM - L:74.2[Ivr:HOL] has joined to L:74.1[Line:10000<<1234567999]
    12/10/2017 3:02:10 AM - [CM505001]: Endpoint Ivr:HOL: Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [3CX IVR] PBX contact: [sip:HOL@127.0.0.1:5060]
    12/10/2017 3:02:10 AM - [CM503002]: Call(C:74): Alerting Ivr:HOL by contact <sip:HOL@127.0.0.1:5483>
    12/10/2017 3:02:09 AM - [CM503025]: Call(C:74): Calling T:Ivr:HOL@[Dev:sip:HOL@127.0.0.1:5483;rinstance=e2008981863c434b] for L:74.1[Line:10000<<1234567999]
    12/10/2017 3:02:09 AM - [CM503027]: Call(C:74): From: Line:10000<<1234567999 (<sip:1234567999@bm.3cx.at:5060>)  to  T:Ivr:HOL@[Dev:sip:HOL@127.0.0.1:5483;rinstance=e2008981863c434b]
    12/10/2017 3:02:09 AM - [CM503004]: Call(C:74): Route 1: from L:74.1[Line:10000<<1234567999] to T:Ivr:HOL@[Dev:sip:HOL@127.0.0.1:5483;rinstance=e2008981863c434b]
    12/10/2017 3:02:09 AM - [Flow] Call(C:74): has built target endpoint: Ivr:HOL for call from L:74.1[Line:10000<<1234567999]
    12/10/2017 3:02:09 AM - [Flow] Target endpoint for HOL is Ivr:HOL
    12/10/2017 3:02:09 AM - [CM503010]: Call(C:74): Making route(s) from Line:10000<<1234567999 to <sip:HOL@SERVER.IP:5060>
    12/10/2017 3:02:09 AM - [CM505003]: Provider:[andom tec] Device info: Device Not Identified: User Agent not matched; Capabilities:[reinvite, replaces, able-no-sdp, recvonly] UserAgent: [Z 3.14.38765 rv2.8.3] PBX contact: [sip:ACCOUNT@SERVER.IP:5060]
    12/10/2017 3:02:09 AM - [CM500002]: Call(C:74): Info on incoming INVITE from Line:10000<<1234567999:
    Invite-IN Recv Req INVITE from 46.166.142.226:33605 tid=sss0zxx9o3jh5643 Call-ID=0uwmNS4Hfoz6kymCigmZ3l..:
    INVITE sip:+61283106276@SERVER.IP:5060;transport=UDP SIP/2.0
    Via: SIP/2.0/UDP 169.215.175.219:5060;branch=z9hG4bK-524287-1---sss0zxx9o3jh5643;received=46.166.142.226
    Max-Forwards: 70
    Contact: <sip:1234567999@169.215.175.219:5060;transport=UDP>
    To: <sip:+61283106276@SERVER.IP;transport=UDP>
    From: <sip:1234567999@SERVER.IP;transport=UDP>;tag=86fyu0xk
    Call-ID: 0uwmNS4Hfoz6kymCigmZ3l..
    CSeq: 1 INVITE
    Content-Type: application/sdp
    User-Agent: Z 3.14.38765 rv2.8.3
    Allow-Events: presence, kpml, talk
    Content-Length: 292
    
    v=0
    o=Z 0 0 IN IP4 169.215.175.219
    s=Z
    c=IN IP4 169.215.175.219
    t=0 0
    m=audio 8000 RTP/AVP 18 3 110 8 0 97 101
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:110 speex/8000
    a=rtpmap:97 iLBC/8000
    a=fmtp:97 mode=30
    a=rtpmap:101 telephone-event/8000
    a=fmtp:101 0-16
    a=sendrecv
    12/10/2017 3:02:09 AM - [CM503001]: Call(C:74): Incoming call from Line:10000<<1234567999 to <sip:HOL@SERVER.IP:5060>
    12/10/2017 3:02:09 AM - Line limit check: Current # of calls for line Lc:10000(@andom tec[<sip:ACCOUNT@voip.provider:5060>]) is 1; limit is 4
    12/10/2017 3:02:09 AM - [CM503012]: Inbound out-of-office hours rule (unnamed) for 10000 forwards to DN:HOL
    12/10/2017 3:02:09 AM - [Flow] Looking for inbound target: called=+61283106276; caller=<sip:1234567999@:5060>
    12/10/2017 3:02:05 AM - Currently active calls [none]
    Thank you very much for your help!
     
  2. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,379
    Likes Received:
    84
    The User-Agent "Z 3.14.38765 rv2.8.3" is actually Zoiper and we are getting a lot of reports lately of this user agent causing trouble.

    Because 3CX, in the context of SIP Trunks is the UAC (client), it does not challenge incoming INVITE requests that it "thinks" are from the Provider, that is why the calls are allowed in.

    What you can do actually is follow the Security advice outlined here: https://www.3cx.com/3cxacademy/videos/advanced/security-with-3cx-phone-system/

    In short, get all the SIP Server IPs your SIP Trunk Provider uses, and all IPs of your Remote STUN phone, add them to our firewall as allowed to access port 5060, drop all other source IPs that send to 5060.
     
    neotheghost likes this.
  3. neotheghost

    Joined:
    Dec 12, 2017
    Messages:
    6
    Likes Received:
    0
    Thanks! Reading your comment gave me an idea. Wouldn't it be a sufficient solution for 3CX to implement something like "custom strings"? Let's say the admin could add an individual string to the sip traffic of all devices so that they could identify themselfs at the firewall level and get accepted instead of dropped? Guessing or bruteforcing the string would be impossible and this kind of attack could be stopped easily without the need for IP blocks.

    Or am i wrong?
     
  4. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,379
    Likes Received:
    84
    Theoretically that would provide a solution, but there are a few practical problems to this idea:
    • You can't set the User-Agent string on most device to something other what is there by default.
    • I think from a Firewall perspective, it would be inefficient to do filtering at such a high level. The firewall would actually have to open each packet and do string comparison to determine what's allowed and what not. I think Linux iptables has that ability, but the same stands, as robust as it is, I think it may cause delays.

    It is worth mentioning that 3CX does by default block certain user-agents, but given that this specific one corresponds to the actual Zoiper software, it was decided not to block it due to it in some cases being used by actual users and not as a brute-forcing tool.

    For the above reasons, I still think the best feasible way to tackle this would be with ACL on your firewall with the IPs of your providers SIP Servers.
     
Thread Status:
Not open for further replies.